Tasks is a client-side task management app built as a single HTML/CSS/JS file. It runs entirely in your browser with no backend, no accounts, and no external network requests. Data is stored in localStorage and never leaves your device.

Included: All client-side code (index.html), service worker (sw.js), PWA manifest, and static assets.

Not applicable: Server-side security, authentication, API security, database security, third-party integrations. None of these exist in this project.

Last reviewed: 2026-04-13

The following areas were checked:

• Hardcoded secrets, tokens, API keys, and credentials
• External script includes, CDN links, and outbound requests
• XSS vectors (eval, innerHTML with user input, document.write)
• localStorage data handling and potential PII exposure
• Link validation and protocol restrictions
• Git history for leaked credentials
• Public files for unintended sensitive content

Result: No high or medium severity issues found.

No secrets, credentials, or data exposure issues were found.

These are inherent to the design, not bugs:

• localStorage is not encrypted. Anyone with physical access to the device (or a browser extension on the same origin) can read stored tasks. Don't store sensitive information in task fields.
• No backup or sync. Clearing browser data deletes everything. There is no cloud backup or cross-device sync.
• No authentication. Anyone with access to the browser can view and modify tasks.
• Service worker caching. After updates, users may need to refresh or clear the cache to see the latest version.

This app has a minimal attack surface. No backend, no external dependencies, no user accounts, no network requests. The primary risk is local data access, which is a known trade-off of the localStorage-only design.

Status: Low risk. Safe for public use.